chore(deps)!: Update GitHub Actions (major)

[williaby]

ℹ️ Note

This PR body was truncated due to platform limits.

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
actions/attest-build-provenance	action	major	v1.5.2 → v4.1.0
actions/checkout	action	major	v4.3.1 → v6.0.2
actions/checkout	action	major	v4 → v6
actions/checkout	action	major	v4.2.2 → v6.0.2
actions/dependency-review-action	action	major	v4.9.0 → v5.0.0
actions/download-artifact	action	major	v4 → v8
actions/setup-python	action	major	v5.6.0 → v6.2.0
actions/upload-artifact	action	major	v4.6.2 → v7.0.1
actions/upload-artifact	action	major	v4 → v7
astral-sh/setup-uv	action	major	v4 → v7
astral-sh/setup-uv	action	major	v6.8.0 → v8.1.0
astral-sh/setup-uv	action	major	v4.2.0 → v8.1.0
codecov/codecov-action	action	major	v4.6.0 → v6.0.1
dorny/paths-filter	action	major	v3.0.3 → v4.0.1
github/codeql-action	action	major	v3.35.3 → v4.36.0
google-github-actions/auth	action	major	v2 → v3
google-github-actions/setup-gcloud	action	major	v2 → v3
python-semantic-release/python-semantic-release	action	major	v9.21.1 → v10.5.3

Warnings (1)

Please correct - or verify that you can safely ignore - these warnings before you merge this PR.

• actions/attest-build-provenance: Could not determine new digest for update (github-tags package actions/attest-build-provenance)

---

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Impact

• ✅ Patch update: bug fixes and security patches only
• ✅ No breaking changes

Acceptance Criteria

• All CI checks pass

Testing

• CI gates pass (tests, lint, type checking, security scan)

Notes

---

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v4.1.0

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Update RELEASE.md docs by @​bdehamer in #​836
• Bump actions/attest from 4.0.0 to 4.1.0 by @​bdehamer in #​838
  • Bump @actions/attest from 3.0.0 to 3.1.0 by @​bdehamer in actions/attest#362
  • Bump @actions/attest from 3.1.0 to 3.2.0 by @​bdehamer in actions/attest#365
  • Add new subject-version input for inclusion in storage record by @​bdehamer in actions/attest#364
  • Add storage record content to README by @​bdehamer in actions/attest#366

Full Changelog: actions/attest-build-provenance@v4.0.0...v4.1.0

v4.0.0

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Prepare v4 release by @​bdehamer in #​835

Full Changelog: actions/attest-build-provenance@v3.2.0...v4.0.0

v3.2.0

Compare Source

What's Changed

• Bump @​actions/core from 1.11.1 to 2.0.1 by @​dependabot[bot] in #​776
• Add more documentation on Artifact Metadata Storage Records by @​malancas in #​797
• Update actions/attest to latest version v3.2.0 by @​malancas in #​812

Full Changelog: actions/attest-build-provenance@v3.1.0...v3.2.0

v3.1.0

Compare Source

What's Changed

• Prepare v3 release by @​bdehamer in #​697
• Bump js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​749
• Bump tar from 7.5.1 to 7.5.2 by @​dependabot[bot] in #​753
• Bump glob from 10.4.5 to 10.5.0 by @​dependabot[bot] in #​754
• Bump @​types/node from 24.10.1 to 25.0.2 by @​dependabot[bot] in #​774
• Bump @​actions/attest from 1.6.0 to 2.0.0 by @​dependabot[bot] in #​736
• Bump @​actions/attest from 2.0.0 to 2.1.0 by @​dependabot[bot] in #​775
• Add support for creating artifact metadata storage records by @​malancas in #​779

New Contributors

• @​malancas made their first contribution in #​779

Full Changelog: actions/attest-build-provenance@v3...v3.1.0

v3.0.0

Compare Source

What's Changed

• Adjust node max-http-header-size setting by @​bdehamer in #​687
• Bump actions/attest from v2.4.0 to v3.0.0 by @​bdehamer in #​691
  • Bump to node24 runtime
  • Improved checksum parsing
• Bump attest-build-provenance/predicate to v2.0.0 by @​bdehamer in #​693
  • Bump to node24 runtime by @​bdehamer in #​692

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/attest-build-provenance@v2.4.0...v3.0.0

v2.4.0

Compare Source

What's Changed

• Bump undici from 5.28.5 to 5.29.0 by @​dependabot in #​633
• Bump actions/attest from 2.3.0 to 2.4.0 by @​bdehamer in #​654
  • Includes support for the new well-known summary file which will accumulate paths to all attestations generated in a given workflow run

Full Changelog: actions/attest-build-provenance@v2.3.0...v2.4.0

v2.3.0

Compare Source

What's Changed

• Bump actions/attest from 2.2.1 to 2.3.0 by @​bdehamer in #​615
  • Updates @sigstore/oci from 0.4.0 to 0.5.0

Full Changelog: actions/attest-build-provenance@v2.2.3...v2.3.0

v2.2.3

Compare Source

What's Changed

• Pin actions/attest reference by commit SHA by @​bdehamer in #​493

Full Changelog: actions/attest-build-provenance@v2.2.2...v2.2.3

v2.2.2

Compare Source

What's Changed

• Bump predicate action from 1.1.4 to 1.1.5 by @​bdehamer in #​485
  • Bump @​actions/attest from 1.5.0 to 1.6.0 by @​bdehamer in #​484
    • Update buildSLSAProvenancePredicate to populate workflow.ref field from the ref claim in the OIDC token (actions/toolkit#1969)

Full Changelog: actions/attest-build-provenance@v2.2.1...v2.2.2

v2.2.1

Compare Source

What's Changed

• Bump undici from 5.28.4 to 5.28.5 by @​dependabot in #​457
• Bump @​octokit/request-error from 5.0.1 to 5.1.1 by @​dependabot in #​469
• Bump @​octokit/request from 8.2.0 to 8.4.1 by @​dependabot in #​478
• Bump actions/attest from 2.2.0 to 2.2.1 by @​bdehamer in #​481
  • Includes @actions/attest v1.6.0

Full Changelog: actions/attest-build-provenance@v2.2.0...v2.2.1

v2.2.0

Compare Source

What's Changed

• Bump actions/attest from v2.1.0 to v2.2.0 by @​bdehamer in #​449
  • Includes support for now subject-checksums input parameter

Full Changelog: actions/attest-build-provenance@v2.1.0...v2.2.0

v2.1.0

Compare Source

What's Changed

• Update README w/ note about GH plans supporting attestations by @​bdehamer in #​414
• Add attestation-id and attestation-url outputs by @​bdehamer in #​415

Full Changelog: actions/attest-build-provenance@v2.0.1...v2.1.0

v2.0.1

Compare Source

What's Changed

• Bump actions/attest from 2.0.0 to 2.0.1 by @​bdehamer in #​406
  • Deduplicate subjects before adding to in-toto statement

Full Changelog: actions/attest-build-provenance@v2.0.0...v2.0.1

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

• Add worktree support for persist-credentials includeIf by @​ericsciple in #​2327

v6.0.0

Compare Source

• Persist creds to a separate file by @​ericsciple in #​2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in #​2248

v5.0.1

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

v5.0.0

Compare Source

• Update actions checkout to use node 24 by @​salmanmkc in #​2226

actions/dependency-review-action (actions/dependency-review-action)

v5.0.0: 5.0.0

Compare Source

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in #​1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in #​1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in #​1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in #​1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in #​1076
• Resolve security findings by @​AshelyTC in #​1094
• v5.0.0 release branch by @​ahpook in #​1098

New Contributors

• @​scottschreckengaust made their first contribution in #​1084
• @​mongolyy made their first contribution in #​1091
• @​Marukome0743 made their first contribution in #​1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

actions/download-artifact (actions/download-artifact)

v8

Compare Source

v7

Compare Source

v6

Compare Source

v5

Compare Source

actions/setup-python (actions/setup-python)

v6.2.0

Compare Source

What's Changed

Dependency Upgrades

• Upgrade dependencies to Node 24 compatible versions by @​salmanmkc in #​1259
• Upgrade urllib3 from 2.5.0 to 2.6.3 in /__tests__/data by @​dependabot in #​1253 and #​1264

Full Changelog: actions/setup-python@v6...v6.2.0

v6.1.0

Compare Source

What's Changed

Enhancements:

• Add support for pip-install input by @​gowridurgad in #​1201
• Add graalpy early-access and windows builds by @​timfel in #​880

Dependency and Documentation updates:

• Enhanced wording and updated example usage for allow-prereleases by @​yarikoptic in #​979
• Upgrade urllib3 from 1.26.19 to 2.5.0 and document breaking changes in v6 by @​dependabot in #​1139
• Upgrade typescript from 5.4.2 to 5.9.3 and Documentation update by @​dependabot in #​1094
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pip-install input by @​dependabot in #​1199
• Upgrade requests from 2.32.2 to 2.32.4 by @​dependabot in #​1130
• Upgrade prettier from 3.5.3 to 3.6.2 by @​dependabot in #​1234
• Upgrade @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel by @​dependabot in #​1235

New Contributors

• @​yarikoptic made their first contribution in #​979

Full Changelog: actions/setup-python@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Upgrade to node 24 by @​salmanmkc in #​1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

• Add support for pip-version by @​priyagupta108 in #​1129
• Enhance reading from .python-version by @​krystof-k in #​787
• Add version parsing from Pipfile by @​aradkdj in #​1067

Bug fixes:

• Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @​aparnajyothi-y in #​1183
• Change missing cache directory error to warning by @​aparnajyothi-y in #​1182
• Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @​aparnajyothi-y in #​1122
• Include python version in PyPy python-version output by @​cdce8p in #​1110
• Update docs: clarification on pip authentication with setup-python by @​priya-kinthali in #​1156

Dependency updates:

• Upgrade idna from 2.9 to 3.7 in /tests/data by @​dependabot[bot] in #​843
• Upgrade form-data to fix critical vulnerabilities #​182 & #​183 by @​aparnajyothi-y in #​1163
• Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @​aparnajyothi-y in #​1165
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​1181
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot[bot] in #​1095

New Contributors

• @​krystof-k made their first contribution in #​787
• @​cdce8p made their first contribution in #​1110
• @​aradkdj made their first contribution in #​1067

Full Changelog: actions/setup-python@v5...v6.0.0

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

Compare Source

v6 - What's new

[!IMPORTANT]
actions/upload-artifact@​v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in #​719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in #​744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in #​745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in #​681
• Update README.md by @​nebuk89 in #​712
• Readme: spell out the first use of GHES by @​danwkennedy in #​727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in #​725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in #​734

New Contributors

• @​GhadimiR made their first contribution in #​681
• @​nebuk89 made their first contribution in #​712
• @​danwkennedy made their first contribution in #​727
• @​patrikpolyak made their first contribution in #​725

Full Changelog: actions/upload-artifact@v4...v5.0.0

astral-sh/setup-uv (astral-sh/setup-uv)

v7

Compare Source

v6

Compare Source

v5

Compare Source

codecov/codecov-action (codecov/codecov-action)

v6.0.1

Compare Source

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in #​1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in #​1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

v6.0.0

Compare Source

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️

What's Changed

• Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0"" by @​thomasrockhu-codecov in #​1929
• Th/6.0.0 by @​thomasrockhu-codecov in #​1928

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v5.5.4

Compare Source

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

• Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" by @​thomasrockhu-codecov in #​1926
• chore(release): 5.5.4 by @​thomasrockhu-codecov in #​1927

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

v5.5.3

Compare Source

What's Changed

• build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @​dependabot[bot] in #​1874
• chore(release): bump to 5.5.3 by @​thomasrockhu-codecov in #​1922

Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3

v5.5.2

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

Compare Source

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in #​1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in #​1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in #​1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in #​1872
• docs: fix typo in README by @​datalater in #​1866
• Document a codecov-cli version reference example by @​webknjaz in #​1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in #​1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in #​1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

Compare Source

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in #​1864
• Pin actions/github-script by Git SHA by @​martincostello in #​1859
• fix: check reqs exist by @​joseph-sentry in #​1835
• fix: Typo in README by @​spalmurray in #​1838
• docs: Refine OIDC docs by @​spalmurray in #​1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in #​1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

Compare Source

What's Changed

• build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by @​app/dependabot in #​1822
• fix: OIDC on forks by @​joseph-sentry in #​1823

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.1..v5.4.2

v5.4.1

Compare Source

What's Changed

• fix: use the github core methods by @​thomasrockhu-codecov in #​1807
• build(deps): bump github/codeql-action from 3.28.12 to 3.28.13 by @​app/dependabot in #​1803
• build(deps): bump github/codeql-action from 3.28.11 to 3.28.12 by @​app/dependabot in #​1797
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 by @​app/dependabot in #​1798
• chore(release): wrapper -0.2.1 by @​app/codecov-releaser-app in #​1788
• build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 by @​app/dependabot in #​1786

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.0..v5.4.1

v5.4.0

Compare Source

What's Changed

• update wrapper submodule to 0.2.0, add recurse_submodules arg by @​matt-codecov in #​1780
• build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 by @​app/dependabot in #​1775
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @​app/dependabot in #​1776
• build(deps): bump github/codeql-action from 3.28.9 to 3.28.10 by @​app/dependabot in #​1777
• Clarify in README that use_pypi bypasses integrity checks too by @​webknjaz in #​1773
• Fix use of safe.directory inside containers by @​Flamefire in #​1768
• Fix description for report_type input by @​craigscott-crascit in #​1770
• build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 by @​app/dependabot in #​1765
• Fix a typo in the example by @​miranska in #​1758
• build(deps): bump github/codeql-action from 3.28.5 to 3.28.8 by @​app/dependabot in #​1757
• build(deps): bump github/codeql-action from 3.28.1 to 3.28.5 by @​app/dependabot in #​1753

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.3.1..v5.4.0

v5.3.1

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.3.0..v5.3.1

v5.3.0

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.2.0..v5.3.0

v5.2.0

Compare Source

What's Changed

• Fix typo in README by @​tserg in #​1747
• Th/add commands by @​thomasrockhu-codecov in #​1745
• use correct audience when requesting oidc token by @​juho9000 in #​1744
• build(deps): bump github/codeql-action from 3.27.9 to 3.28.1 by @​app/dependabot in #​1742
• build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0 by @​app/dependabot in #​1743
• chore(deps): bump wrapper to 0.0.32 by @​thomasrockhu-codecov in #​1740
• feat: add disable-telem feature by @​thomasrockhu-codecov in #​1739
• fix: remove erroneous linebreak in readme by @​Vampire in #​1734

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.1.2..v5.2.0

v5.1.2

Compare Source

What's Changed

• fix: update statment by @​thomasrockhu-codecov in #​1726
• fix: update action script by @​thomasrockhu-codecov in #​1725
• fix: prevent oidc on tokenless due to permissioning by @​thomasrockhu-codecov in #​1724
• chore(release): wrapper-0.0.31 by @​app/codecov-releaser-app in #​1723
• Put quotes around ${{ inputs.token }} in action.yml by @​jwodder in #​1721
• build(deps): bump github/codeql-action from 3.27.6 to 3.27.9 by @​app/dependabot in #​1722
• Remove mistake from options table by @​Acconut in #​1718
• build(deps): bump github/codeql-action from 3.27.5 to 3.27.6 by @​app/dependabot in #​1717

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.1.1..v5.1.2

v5.1.1

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.1.0..v5.1.1

v5.1.0

Compare Source

What's Changed

• fix: hide unnecessary error on shasum by @​thomasrockhu-codecov in #​1692
• build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 by @​app/dependabot in #​1701
• chore(release): wrapper-0.0.29 by @​app/codecov-releaser-app in #​1713

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.0.7..v5.1.0

v5.0.7

Compare Source

What's Changed

• fix: use HEAD_REPO by [@​thomasrockhu-codecov](https://redirect.gith

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

Walkthrough

This PR updates GitHub Actions to newer pinned versions across seven workflow files (.github/workflows/ci.yml, codeql.yml, dependency-review.yml, pr-validation.yml, publish-artifact-registry.yml, release.yml, and slsa-provenance.yml). No workflow logic, job conditions, command execution, or configuration is altered—only action version pins are bumped.

Changes

GitHub Actions Version Upgrades

Layer / File(s)	Summary
Core infrastructure actions (checkout, setup-python, setup-uv) .github/workflows/ci.yml, .github/workflows/codeql.yml, .github/workflows/dependency-review.yml, .github/workflows/pr-validation.yml, .github/workflows/publish-artifact-registry.yml, .github/workflows/release.yml, .github/workflows/slsa-provenance.yml	actions/checkout is bumped from v4 to v6 across all workflows; astral-sh/setup-uv advances from v4–v6 to v7–v8; actions/setup-python is updated in codeql.yml and slsa-provenance.yml. These actions provide repository access, Python environment setup, and dependency management.
Testing, analysis, and tooling actions .github/workflows/ci.yml, .github/workflows/codeql.yml, .github/workflows/dependency-review.yml, .github/workflows/release.yml	codecov/codecov-action upgraded in ci.yml coverage job; github/codeql-action updated in codeql.yml; dorny/paths-filter bumped in ci.yml detect-changes job; actions/dependency-review-action updated from v4.9.0 to v5.0.0; python-semantic-release/python-semantic-release upgraded from v9.21.1 to v10.5.3 in release.yml.
Platform and artifact handling actions .github/workflows/ci.yml, .github/workflows/publish-artifact-registry.yml, .github/workflows/slsa-provenance.yml	actions/upload-artifact and actions/download-artifact updated in ci.yml and slsa-provenance.yml; actions/attest-build-provenance upgraded in slsa-provenance.yml; google-github-actions/auth and google-github-actions/setup-gcloud advanced from v2 to v3 in publish-artifact-registry.yml for Google Cloud integration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Dependency Dashboard cookiecutter-template-sample#3: Updates to actions/attest-build-provenance and other actions in slsa-provenance.yml align with Renovate dependency management.
• ByronWilliamsCPA/taxdome#7: Shares same GitHub Actions version updates across .github/workflows files including actions/checkout and astral-sh/setup-uv.
• ByronWilliamsCPA/maester-tests#14: Updates identical action pins (actions/checkout, astral-sh/setup-uv) across workflow files.
• Dependency Dashboard DeQA-Doc#16: Overlaps on actions/checkout, dependency-review, and codeql action updates.
• Dependency Dashboard family-office-portal#6: Shares upgrades to actions/checkout and astral-sh/setup-uv across multiple workflow files.
• Dependency Dashboard llc-manager#12: Addresses the same actions/dependency-review-action updates reported by Renovate.
• Dependency Dashboard cookiecutter-python-template#35: Directly resolves GitHub Actions version issues including actions/attest-build-provenance in slsa-provenance.yml.
• ByronWilliamsCPA/template-sample#4: Updates to slsa-provenance.yml including actions/attest-build-provenance are directly related.
• Dependency Dashboard reference-library#10: Shares coordinated actions/checkout (v6.0.2) and other action version upgrades.
• Dependency Dashboard gleif#23: Updates the same GitHub Actions versions across multiple workflow files.

Suggested labels

ci

Poem

🐰 GitHub Actions leap ahead,
From v4 to v6, old versions shed,
Setup-uv bounds to newer heights,
CI pipelines now have fresh delights!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: updating GitHub Actions to major versions across the entire CI/CD workflow suite.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/major-github-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Updates pinned GitHub Actions across the repository’s CI/CD workflows to newer major versions (primarily moving to Node 24–based action runtimes and newer action feature sets).

Changes:

• Bumps core CI actions (checkout, setup-python, setup-uv, artifact upload/download) to new major versions across workflows.
• Updates security/scanning actions (CodeQL) and coverage upload (Codecov) to new major versions.
• Updates release/publishing workflows (python-semantic-release, google-github-actions/auth, setup-gcloud) to new major versions.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/slsa-provenance.yml	Updates checkout/setup-python/setup-uv/upload-artifact and attest-build-provenance pins for provenance generation.
.github/workflows/release.yml	Updates checkout/setup-uv and python-semantic-release action pins for the release workflow.
.github/workflows/publish-artifact-registry.yml	Updates checkout/setup-uv and Google Cloud auth/setup-gcloud pins for publishing to Artifact Registry.
.github/workflows/pr-validation.yml	Updates checkout and setup-uv pins for PR validation/dead-code job setup.
.github/workflows/dependency-review.yml	Updates checkout pin for dependency review workflow.
.github/workflows/codeql.yml	Updates checkout/setup-python/setup-uv and CodeQL init/analyze pins.
.github/workflows/ci.yml	Updates checkout/paths-filter/setup-uv/artifact download+upload and Codecov action pins in CI.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 45: Update each GitHub Actions checkout step that runs in pull_request
workflows to disable persisted Git credentials by adding the option
persist-credentials: false to the checkout action invocations; specifically
modify the occurrences of "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" (the checkout steps
present at the referenced locations) so they include a keys block with
persist-credentials: false to prevent supplying repo credentials to subsequent
steps.

In @.github/workflows/pr-validation.yml:
- Line 64: The checkout step currently uses "uses:
actions/checkout@de0fac2e4500d..." without disabling credential persistence;
update the checkout action invocation (the actions/checkout usage) to include a
with: persist-credentials: false setting so the GITHUB_TOKEN is not written into
git config for PR workflows.

In @.github/workflows/publish-artifact-registry.yml:
- Around line 172-175: The workflow is passing a base64-encoded secret into the
google-github-actions/auth step's credentials_json input (the step using
google-github-actions/auth), but credentials_json must receive raw JSON; either
replace the secret with a raw-minified JSON secret (e.g., GCP_SA_KEY_JSON) and
set credentials_json to that secret, or decode the base64 before passing it by
using GitHub Actions functions (e.g., convert base64 to JSON and feed the
result) so the credentials_json parameter receives the actual Service Account
JSON rather than the encoded string.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d43d58d9-e98b-4258-95cf-98b664275325

📥 Commits

Reviewing files that changed from the base of the PR and between c0eb24a and 75116a3.

📒 Files selected for processing (7)

• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/dependency-review.yml
• .github/workflows/pr-validation.yml
• .github/workflows/publish-artifact-registry.yml
• .github/workflows/release.yml
• .github/workflows/slsa-provenance.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/ci.yml | head -250

Repository: ByronWilliamsCPA/python-libs

Length of output: 9248

---

Disable persisted Git credentials in all PR-executed checkout actions.

Lines 45, 74, 122, 166, and 191 perform checkout in pull_request workflows. Since none of the subsequent steps require authenticated git operations, add persist-credentials: false to each checkout action to follow the principle of least privilege and reduce attack surface.

Required changes

       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

Apply this change to lines 45, 74, 122, 166, and 191.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 45, Update each GitHub Actions checkout
step that runs in pull_request workflows to disable persisted Git credentials by
adding the option persist-credentials: false to the checkout action invocations;
specifically modify the occurrences of "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" (the checkout steps
present at the referenced locations) so they include a keys block with
persist-credentials: false to prevent supplying repo credentials to subsequent
steps.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Find and examine the workflow file
find . -path "./.github/workflows/pr-validation.yml" -type f

Repository: ByronWilliamsCPA/python-libs

Length of output: 110

---

🏁 Script executed:

# Read the workflow file to see the context around line 64
cat -n .github/workflows/pr-validation.yml | head -80

Repository: ByronWilliamsCPA/python-libs

Length of output: 3282

---

🏁 Script executed:

# Check the entire workflow for any authenticated git operations
cat -n .github/workflows/pr-validation.yml | tail -20

Repository: ByronWilliamsCPA/python-libs

Length of output: 971

---

🏁 Script executed:

# Also check if there are any other checkout actions or git operations in this file
grep -n "git\|push\|commit\|credentials" .github/workflows/pr-validation.yml

Repository: ByronWilliamsCPA/python-libs

Length of output: 331

---

Harden checkout by disabling credential persistence.

This job executes repository code from pull requests; keep the GITHUB_TOKEN out of git config since no authenticated git operations are performed.

Suggested hardening

       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-validation.yml at line 64, The checkout step currently
uses "uses: actions/checkout@de0fac2e4500d..." without disabling credential
persistence; update the checkout action invocation (the actions/checkout usage)
to include a with: persist-credentials: false setting so the GITHUB_TOKEN is not
written into git config for PR workflows.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat .github/workflows/publish-artifact-registry.yml

Repository: ByronWilliamsCPA/python-libs

Length of output: 8895

---

🏁 Script executed:

cat .github/workflows/publish-artifact-registry.yml | head -200

Repository: ByronWilliamsCPA/python-libs

Length of output: 6976

---

🏁 Script executed:

cat .github/workflows/publish-artifact-registry.yml

Repository: ByronWilliamsCPA/python-libs

Length of output: 8895

---

🌐 Web query:

google-github-actions/auth credentials_json format documentation

💡 Result:

The credentials_json input for the google-github-actions/auth GitHub Action expects the raw content of a Google Cloud Service Account Key JSON file [1][2]. To use this input correctly: 1. Format: The value must be the valid JSON object exported from the Google Cloud Console for a Service Account [2]. 2. Storage: It is strongly recommended to store this JSON as a GitHub Actions Secret [1][2]. 3. Best Practice: The documentation advises minifying the JSON into a single-line string before saving it as a GitHub Secret [1]. This prevents issues where GitHub Actions might aggressively sanitize or mask characters (such as curly braces or brackets) if the secret contains multiple lines [1]. 4. Usage in YAML: Reference the secret in your workflow file as follows [1][2]: - uses: 'google-github-actions/auth@v3' with: credentials_json: '${{ secrets.YOUR_SECRET_NAME }}' Important Security Note: Google and the maintainers of google-github-actions/auth strongly prefer using Workload Identity Federation over Service Account Key JSONs [1][3][4]. Workload Identity Federation eliminates the need for long-lived keys, which are a significant security risk if compromised [3][4]. If you must use credentials_json, ensure the service account has the roles/iam.serviceAccountTokenCreator role on itself [1][2].

Citations:

• 1: https://github.com/google-github-actions/auth
• 2: https://github.com/google-github-actions/auth/blob/main/docs/EXAMPLES.md
• 3: https://github.com/google-gemini/gemini-cli-action/blob/a2b9c054/docs/workload-identity.md
• 4: https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions

---

Fix credentials_json to receive raw JSON, not base64-encoded.

The credentials_json parameter for google-github-actions/auth expects the raw JSON content of a Service Account Key. The secret is base64-encoded (as evidenced by the base64 -d decoding on line 192), which will cause authentication to fail at this step.

Store the raw JSON key (minified) as a separate secret (e.g., GCP_SA_KEY_JSON), or decode the base64 before passing it: credentials_json: ${{ fromJSON(base64ToJson(secrets.GCP_SA_KEY_BASE64)) }} if using base64.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-artifact-registry.yml around lines 172 - 175, The
workflow is passing a base64-encoded secret into the google-github-actions/auth
step's credentials_json input (the step using google-github-actions/auth), but
credentials_json must receive raw JSON; either replace the secret with a
raw-minified JSON secret (e.g., GCP_SA_KEY_JSON) and set credentials_json to
that secret, or decode the base64 before passing it by using GitHub Actions
functions (e.g., convert base64 to JSON and feed the result) so the
credentials_json parameter receives the actual Service Account JSON rather than
the encoded string.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	safety@​3.7.0
	pyjwt@​2.10.1
	pytest@​9.0.1
	pre-commit@​4.5.0
	pip-audit@​2.10.0
	rich@​14.2.0
	redis@​7.1.0
	python-dotenv@​1.2.1
	pydantic@​2.12.5
	python-frontmatter@​1.1.0
	ruff@​0.14.8
	starlette@​0.50.0
	pyyaml@​6.0.3
	pydantic-settings@​2.12.0
	pytest-cov@​7.0.0
	ruamel-yaml@​0.18.16
	vulture@​2.14
	pytest-asyncio@​1.3.0
	respx@​0.22.0
	pytest-xdist@​3.8.0
	structlog@​25.5.0

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud